Practical Guide to Alternative Data Streams in NTFS
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Practical Guide to Alternative Data Streams in NTFS

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    Practical Guide to Alternative Data Streams in NTFS

    Practical Guide to Alternative Data Streams in NTFS

    Alternative Data Stream support was added to NTFS (Windows NT, Windows 2000 and Windows XP) to help support Macintosh Hierarchical File System (HFS) which uses resource forks to store icons and other information for a file. While this is the intended use (as well as a few Windows internal functions) there or other uses for Alternative Data Streams that should concern system administrators and security professionals. Using Alternative Data Streams a user can easily hide files that can go undetected unless closely inspection. This tutorial will give basic information on how to manipulate and detect Alternative Data Streams.

    (Note about conventions: Alternative Data Streams are also sometimes referred to as Alternate Data Streams or ADS. Since Alternative Data Streams is so long, an ADS can be confused with Active Directory Services I will simple call this feature AltDS for short.)

    Creating an AltDS

    Making an AltDS is fairly simple. I will use command line examples, feel free to follow along. We could hide some data in an AltDS behind an already existing file, but for this example we will create a new base file to hide behind:

    Code:
    C:\>echo Just a plan text file>sample.txt
    
    C:\>type sample.txt
    Just a plan text file
    
    C:\>
    Next we will use a colon as the operator to tell our commands to create or use an AltDS:

    Code:
    C:\>echo You can't see me>sample.txt:secret.txt
    Unfortunately, the use of the colon operator is a bit hit or miss in its’ implementation and some times does not work as we might expect as seen below:

    Code:
    C:\>type sample.txt:secret.txt
    The filename, directory name, or volume label syntax is incorrect.
    Since the “type” command does not understand the colon operator we will have to use notepad to read the file:

    Code:
    C:\>notepad sample.txt:secret.txt
    If all worked well, you should not see a notepad window with the text “You can't see me” in it. Also notice that while the amount of total hard drive space free went down the file size of sample.txt did not increase:

    Code:
    C:\>dir sample.txt
     Volume in drive C has no label.
     Volume Serial Number is 40CC-B506
    
     Directory of C:\
    
    09/27/2004  01:58 PM                23 sample.txt
                   1 File(s)             23 bytes
                   0 Dir(s)  12,658,040,832 bytes free
    
    C:\>
    You can make an AltDS in not only files, but also directories, here is a quick example:

    Code:
    C:\>md stuff
    
    C:\>cd stuff
    
    C:\stuff>echo Hide stuff in stuff>:hide.txt
    
    C:\stuff>dir
     Volume in drive C has no label.
     Volume Serial Number is 40CC-B506
    
     Directory of C:\stuff
    
    09/28/2004  10:19 AM    <DIR>          .
    09/28/2004  10:19 AM    <DIR>          ..
                   0 File(s)              0 bytes
                   2 Dir(s)  12,253,208,576 bytes free
    
    C:\stuff>notepad :hide.txt
    Hopefully you now see a notepad window with hide.txt’s contents. If all one could do with AltDS was hide text files it would not be that impressive, but there’s much more that can be done with this useful NTFS feature.

    Hiding and running an executable.

    As it turns out, using AltDS to hide executables is not much harder than it is to hide text files. AltDS makes for a great way for malware to hide itself on a system. Here’s an example of how and executable can be hidden behind another file:

    First we make our file to hide behind:

    Code:
    C:\WINDOWS>echo Test>test.txt
    Next we put an EXE behind is, I'm just using notepad.exe because it’s convenient:

    Code:
    C:\WINDOWS>type notepad.exe>test.txt:note.exe
    Next we confirm the contents of the text file when some one tries to open it.

    Code:
    C:\WINDOWS>type test.txt
    Test
    Now we will confirm the file size, notice that adding notepad.exe as a steam did not increase the size of test.txt.

    Code:
    C:\WINDOWS>dir test.txt
    Volume in drive C has no label.
    Volume Serial Number is 007E-2E3C
    
    Directory of C:\WINDOWS
    
    09/19/2004 08:37 AM 6 test.txt
    1 File(s) 6 bytes
    0 Dir(s) 19,734,708,224 bytes free
    Now we will attempt to run our hidden exe. Notice the “.\” in front of the file name, this is necessary because the “start” command needs to know the correct path to the file (at least if you are using XP).

    Code:
    C:\WINDOWS>start .\test.txt:note.exe
    
    C:\WINDOWS>
    If all worked well there should now be a notepad window up on your system. You should be able to hide just about any other EXE file this way if you wish.

    IIS and Alternative Data Streams

    While I was a Taco Bell recently I was thinking about what I could do in this tutorial that would make it a little different from other essays on Alternative Data Streams, which brought to mind a question: Does Microsoft’s Internet Information Server work with Alternative Data Streams? As it happens, it does (at least IIS 6 at the time of this writing). I did the following commands to test it out:

    Code:
    W:\>echo the text file>t.txt
    
    W:\>type xx.php >t.txt:x.php
    xx.php being an php file with the following code:

    Code:
    <HTML>
    <BODY>
    <PRE>
    <? 
    echo "If I see this I know it worked"
    ?>
    
    </BODY>
    </HTML>
    If you are following along try and see if you can read the text file off your server. If you don’t have an IIS server just look at the file on my student site (assuming the link is not dead by the time you read this tutorial).
    http://homepages.ius.edu/adrian/t.txt

    That worked as expected. Next try to see if IIS parses out the colon and then interprets the PHP file in the Alternative Data Stream:

    http://homepages.ius.edu/adrian/t.txt:x.php

    What do you know, it works! I could think of a few things that users might want hide it a web pages like this (moves, porn, scripts and such).

    Hiding Videos

    One can also hide videos in Alternative Data Streams, but depending on how you put them in the streams they can be hard to play. For my examples I will use a video with spaces in the name just to complicate maters and show that it can be done. First let us create an AltDS behind the sample.txt file we made earlier, notice the use of quotation marks to compensate for the spaces in the file names:

    Code:
    C:\>type "Naughty Linux Girls.avi" >"sample.txt:Naughty Linux Women.avi"
    Give the above command some time, subjectively it seems that AltDS is a little slow to work its’ magic. After the above command finishes we will attempt to open the video stream, I’ll use Windows Media Player in my example since most of you should have it on your box and I know it works with AltDS:

    Code:
    C:\>"C:\Program Files\Windows Media Player\wmplayer.exe"  "c:\sample.txt:Naughty  Linux Women.avi"
    If all worked well the video should not be playing. Pretty cool huh?

    Retreiving a file form an Alternative Data Stream

    Since support for AltDS is hit and miss in Windows we need to get an extra tool to suck data back out of an AltDS and put it back in a regular file. For this we will use a Windows port of the *nix tool “cat” (download it and other tools from http://unxutils.sourceforge.net/ ). Retrieving the original file is simple:

    Code:
    C:\>cat "sample.txt:Naughty Linux Women.avi">"Naughty Linux Women.avi"
    If all works well "Naughty Linux Women.avi" should contain all the original data of the video we put into the stream.

    Finding AltDS

    Some anti-malware tools understand how to search Alternate Data Streams for malware. I know Adaware SE Buld 1.05 can recognize know spyware in AltDSes (See http://www.lavasoftsupport.com/index...howtopic=40692 for more details). I’ve had a devil of a time finding out if other tools like Spybot or Symantec Antivirus look at AltDS, the vendors website give little information on it. If you know email me and I will update this tutorial.

    Now I will show you a few tools you can use to find Alternate Data Streams. First there’s LADS by Frank Heyne (see the tools section at the bottom of this tutorial for where to download LADS and other apps). LADS seems to work quite well for finding the streams we created above:

    Code:
    C:\>lads c:\
    
    LADS - Freeware version 4.00
    (C) Copyright 1998-2004 Frank Heyne Software (http://www.heysoft.de)
    This program lists files with alternate data streams (ADS)
    Use LADS on your own risk!
    
    Scanning directory C:\
    
          size  ADS in file
    ----------  ---------------------------------
    Error 32 opening C:\pagefile.sys
     368146432  C:\sample.txt:Naughty Linux Women.avi
            18  C:\sample.txt:secret.txt
            21  C:\stuff\:hide.txt
    
    The following summary might be incorrect because there was at least one error!
    
     368146471 bytes in 3 ADS listed
    
    C:\>
    As you can see it found both of the files I hid. To find out more about what LADS can run it with the “/?” parameter:

    Code:
    C:\>lads /?
    
    LADS - Freeware version 4.00
    (C) Copyright 1998-2004 Frank Heyne Software (http://www.heysoft.de)
    This program lists files with alternate data streams (ADS)
    Use LADS on your own risk!
    
    Usage: LADS [Directory] [/S] [/D] [/A] [/Xname]
      Directory: directory to scan, current if ommitted
      /S     include Subdirectories
      /D     Debug LADS ;-)
      /V     Verbose error reports
      /A     give a summary of All bytes used in the scanned directories
             (All files and directories are considered as uncompressed
             and all security decriptions are skipped
             for calculating this number!)
      /Xname eXclude any ADS "name"
      /Pfile read Parameters from "file"
    
    C:\>
    Pay special attention to the “/S” parameter, you can use it to search entire hard drives and directory structures for AltDS.

    Another popular tool is Streams from SysInternals. It works in much the same way as LADS:

    Code:
    C:\>streams -s c:\
    
    Streams v1.5 - Enumerate alternate NTFS data streams
    Copyright (C) 1999-2003 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    Failed to open c:\\pagefile.sys:
    The process cannot access the file because it is being used by another process
    
    c:\\sample.txt:
       :Naughty Linux Women.avi:$DATA       368146432
          :secret.txt:$DATA 18
    c:\\stuff:
            :hide.txt:$DATA 21
    ...
    I had to truncate the results above to save space, since Streams is doing a search of the whole C: drive. Streams also has the parameter “-d” to delete streams, but I don’t recommend that you use it unless you are sure of what you are doing.

    For you folks that like to stick to GUIs there are three tools you might want to check out: ADS Spy which is quite slick, Crucial ADS which is also nice and ADS Detector which acts kind of like a plug-in for Explorer that lets you see Alternate Data Streams (unfortunately you have to sign up to download it, and so far I can’t seem to get it to work on my XP box). You can find links to all these tools at the bottom of this tutorial.

    Quick answers and Factoids about AltDS

    How do I delete AltDSes from a file?
    Well, if you delete the file it’s attached to you will delete the AltDS, but I’m imaging you want to leave the base file intact. You can use a tool like Streams (see above) to delete the Alternative Data Streams, or you can rename the file and then use the “type” command to pipe it back to the original file name. Example:

    Code:
    C:\>ren sample.txt delme.txt
    
    C:\>type delme.txt>sample.txt
    
    C:\>del delme.txt
    A third option is to just move the files you want to remove streams from to a Fat32 drive then move them back to the original drive. You will get a windows that pops up that asks you to confirm stream lost, just click yes.

    I see a stream called “AFP_AfpInfo” on a lot of my file, should I worry?

    Most likely it’s ok, this is usually an Apple file system fork like I mentioned at the beginning of this tutorial. AFP stands for Apple Filing Protocol, this stream should contain information like the icon a Mac would use to show the file. The AFP_AfpInfo stream may have been put there when the file was touched by a Macintosh or if the Windows box it was copied from had Services For Macintosh enabled. It’s possible that a deviant user could name one of their streams AFP_AfpInfo to try and hide it, but it’s not likely because using this name could make in not work as expected when they try to run or open it.

    I see a stream called “encryptable” on my Thumb.db files, should I worry?

    This is expected behavior for Window, Thum.db hold thumbnails for folders when you choose the thumbnail view in explorer. It’s ok, but if the size of the encryptable stream is over 0 bytes you might want to take a look at it. Same warnings as AFP_AfpInfo apply.


    Ok, what about streams called “SummaryInformation”, should I worry?

    This is also expected behavior for Window. Windows sometimes stores text information like titles, keywords, and revision numbers here. Same warnings as AFP_AfpInfo apply.

    Do streams survive being copied across the network or from one hard drive to another?

    Yes, as long as both file system are NTFS. If the destination is Fat32 the steams will be lost.


    I hope this tutorial helped you to better understand Alternative Data Streams. Please feel free to email me if you have questions, clarifications or more information.


    Further reading:

    The best write up I’ve seen on AltDS:
    http://patriot.net/~carvdawg/docs/dark_side.html

    Great FAQ mby the creator of LADS:
    http://www.heysoft.de/nt/ntfs-ads.htm

    Good information on AltDS from wr0ck:
    http://www.ramsecurity.us/texts/ntfsds.php


    Tools:

    LADS - List Alternate Data Streams by Frank Heyne
    http://www.heysoft.de/Frames/f_sw_la_en.htm

    Streams.exe from SysInternals:
    http://www.sysinternals.com/ntw2k/so....shtml#streams

    ScanADS command line tool:
    http://www.kodeit.org/products/scanads/default.htm

    ADS Spy GUI Scanner:
    http://www.spywareinfo.com/~merijn/downloads.html

    Crucial ADS GUI Scanner:
    www.crucialsecurity.com/downloads.html

    ADS Detector for Explorer:
    http://www.codeproject.com/csharp/Cs...torArticle.asp

    Windows ports of Unix tools like CAT:
    http://unxutils.sourceforge.net/

    Side Note: Thanks folks for all your support, it took me two days shy of two months to reach 11 Antipoint dots, most of you have made be feel very welcome. Thanks.

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,


    Nice post... and decent tutorial as always... but generally it's taboo to post something that's been done before... it'll usually get you negged as you already know.. I'm not going to do that.. call it the biased elitism towards fellow addicts/seniors but who cares... Anyways this topic has been covered here many many times.

    http://www.antionline.com/showthread...te+Data+Stream

    http://www.antionline.com/showthread...te+Data+Stream

    http://www.antionline.com/showthread...te+Data+Stream

    http://www.antionline.com/showthread...te+Data+Stream

    http://www.antionline.com/showthread...te+Data+Stream

    http://www.antionline.com/showthread...te+Data+Stream

    Anyways well written none-the-less... just next time search first

    Peace,
    HT

    [Edit]
    Btw it's the Alternate Data Stream... not Alternative :P
    [/Edit]
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567
    but generally it's taboo to post something that's been done before
    lol yeah, but got to give him credit for writing nice tuts!

    On my quick glance over it I seen one thing that stood out for me::
    <HTML>
    <BODY>
    <PRE>
    <?
    echo "If I see this I know it worked"
    ?>

    </BODY>
    </HTML>
    Don't you have to finish your <pre> code? (ie. </pre&gt .

  4. #4
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I understand where you coming from, but many of those threads are not specifically about Alternative Data Streams (or there are not in the Tutorials section). And as for those that are, I’ve added some more details to mine that might be helpful to those that which to look in just one place for information. For example: Information about IIS, AFP_AfpInfo/encryptable/SummaryInformation streams, using AltDS with Videos and getting files back out of AltDS in their original form.

  5. #5
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Originally posted here by kurt_der_koenig

    Don't you have to finish your <pre> code? (ie. </pre&gt .
    It’s considered good form to, guess I forgot.


    Originally posted HTRegz

    Btw it's the Alternate Data Stream... not Alternative :P
    I've seen it both ways, even Micorosft sometimes uses the words "Alternative Data Streams":

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;q286797

  6. #6
    King Arana: Super Moderator
    Join Date
    Oct 2002
    Posts
    4,055
    yeah, but got to give him credit for writing nice tuts!
    I believe he did.

    Nice post... and decent tutorial as always...
    Space For Rent.. =]

  7. #7
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567
    I believe he did.
    I know he did, it wasn't a command or suggestion. nvm

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Nice tutorial! I'd green ya... but I have to spread.

    I like how you incorporated the IIS. I wonder if it'll work with other web servers... and I wonder if we've seen that before by scammers/spammers? It'd be a good way for them to hide stuff from their ISP. They'll get reports, look, see nothing and pass it off? Unless they look at the actuall access logs and not just the webroot directory...

    Too bad my school server uses linux... or I'd be hiding my movies and mp3s on there....
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Update: to get ADS Detector to work after you have install it open your Explorer window then go to View->Explorer Bar and check "ADS detector". Thanks to David Bishop of Anderson Engineering for pointing out to me how to get ADS Detector to work

  10. #10
    Senior Member
    Join Date
    Oct 2004
    Posts
    118

    Can't delete the streamed data

    Irongeek,

    I've tried to delete the streamed data but it isn't working. I mean the .txt file is getting deleted but it isn't freeing up disk space. I've attached a file along with this post. The disk space isn't increasing after i delete it.
    Never trouble another for what you can do for yourself.
    -Thomas Jefferson

    http://www.AntiOnline.com/sig.php?imageid=777

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •